Certificates

What are certificates?

On the internet, a public key certificate is needed in order to verify the identity of people or computers. These certificates are also called “SSL Certificates” or “Identity Certificates.” We will just call them “certificates” here.

In particular, certificates are needed to establish secure connections. Without certificates, you would be able to ensure that no one else was listening, but you might be talking to the wrong computer altogether! All riseup.net servers and all riseup.net services allow or require secure connections.

To make sure you are actually creating a secure connection with Riseup, you can follow the below steps to verify our certificates. This verification process is not required in order to use Riseup’s services. However, without verification, you cannot be certain you actually are connecting to our servers, and you cannot be certain that your connections are secure.

Verify Riseup’s certificates

To verify these fingerprints, you need to look at what your browser believes the fingerprints are for the certificates and compare them to what is listed below. If they are different, there is a problem. Be warned: a complete verification is difficult and requires an understanding of OpenPGP.

The fingerprint for Riseup’s certificates are:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


As of May 29, 2017, the following are the fingerprints for Riseup's
certificates:

!!! NOTE: This following certificate is now an auto-renewed Let's Encrypt
    certificate, it will be renewed in approximately 3 months and we will cease
    to list its fingerprint here
!!!
.  help.riseup.net
	SHA-256 fingerprint:
	      4df80dbf1c44d4a4edc8fdf000afec2093fe2ed7e3be5495749227d646347f5c
        SHA-1 fingerprint:
              f8bd3869d4f879cacc524860a176fa997ea73a88

!!! NOTE: This following certificate is now an auto-renewed Let's Encrypt
    certificate, it will be renewed in approximately 3 months and we will cease
    to list its fingerprint here
!!!
. riseup.net
      SHA-256 fingerprint:
              9c03fbef8e9c0c33ad604214abff0c1418278eec2e7919ecc943077fb4d8da25
      SHA-1 fingerprint:
              4c67b75e91037d96af97009cfe7a931135af4301

!!! NOTE: This following certificate is now an auto-renewed Let's Encrypt
    certificate, it will be renewed in approximately 3 months and we will cease
    to list its fingerprint here
!!!
. www.riseup.net
      SHA-256 fingerprint:
              c760ccc1bed90d26eaa514a3d8b83791c2b1db871cfc43e66442e9ccd499a53f
      SHA-1 fingerprint:
              b93def89e3602c4276e685875c1fdfcb93df9f65
              
 .  *.riseup.net, riseup.net
        SHA-256 fingerprint:
                101c50eb4d4ac4cb9633c4de10c09c5fbee46801c023d48d2dfe0b02e27eedc0
	SHA1 fingerprint:
		86a010ddba262196d7f6f1f47ae03032f9031c32

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEETgeRJo98Z+q+iPGwMEPitxOado4FAlksortfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDRF
MDc5MTI2OEY3QzY3RUFCRTg4RjFCMDMwNDNFMkI3MTM5QTc2OEUACgkQMEPitxOa
do5T2g//SQdy0R7VQzl0p83VqaZsc0sIaadpDuvl2bSy4l41SAtabLffIUrszPnG
qrp2qqwRUjgH3BtGeoDTRbWKjvJA8+gSRer65GKYwi62eUMFRNH6+HdfdAnp+Aju
VjUmcIjsU2AllZ2tFQ5hzH7wNRPzIns/XNQ0I9Pt3ebx+S9BcUMr1Tp+hdwgPCwL
NGZrhDWqFVZ+Owmz2lq6yFHh8cw8BSiRQBdzesZ8JrbA68xzI1zXbFiMKfVhxwSN
k7+PrkAirDOaFgudHNqGHvThFzbunCuGQ3XwEORqqWixTENZb2wF1k3HbzM2KofP
t9VTM7F2uijCwELtIb/YmVWzEk6H3QtMonNCG46vHmPfcEwHB95gIQ8br/Q7qMnq
bDijGo3ycncgaHOKfu9+dGVOWWSO6iiEnP5dykeDE+CttLRZlADaIKHKWbkuDEyq
1JKrET8NDN6ymdqDJO05ZGICHajqtMi0A7FwixDW7TbRzaBQ8rvvWXMzZ6nkzvKw
NKQ7IWHWx7W0KkKXQ0+REtHmts3mzX7e6lqn0rbACtOl8AA76GnaNS2e+xnC2YLm
gjgtV+JDQPmeYsufI3Y6r3/AYt9uQdkputgbfwOFfDTYz98jKaavZ/fokzojCG99
DQnLuRyvesN1NXpsb6AcjMQHE5XeKgac2gdjgWCP0ez1prR632U=
=KEoA
-----END PGP SIGNATURE-----

When should I verify these fingerprints?

You should verify these fingerprints whenever they change, or you are using a computer that you do not control (such as at an internet cafe, or a library).

Basic verification

  1. Find the fingerprint of the certificate in your browser sees. In most browsers, you can do this by clicking on the lock icon located in the location bar. This should bring up details about the certificate being used, including the fingerprint.
  2. Compare the fingerprint the browser reports with the fingerprints listed above.

If you are interested in doing a complete verification, then you will need to follow a more complicated technical process involving knowedge of OpenPGP.

Complete verification

Warning: this process is pretty technical, it requires familiarity with OpenPGP and the command-line. It assumes you have the program gpg installed.

Import Riseup’s OpenPGP key

Before you continue, please make sure you have selected a good keyserver.

On the terminal (press Alt+F2 and enter gnome-terminal), import Riseup’s public OpenPGP key from a keyserver:

gpg --keyserver keys.riseup.net --recv-key 0x4E0791268F7C67EABE88F1B03043E2B7139A768E
gpg --fingerprint 0x4E0791268F7C67EABE88F1B03043E2B7139A768E

The first line will import the key into your keyring, but there is no guarentee that you actually imported the right key. The --fingerprint command allows you to see the fingerprint of the key and actually confirm you imported the correct key. You should see output that contains this line:

Key fingerprint = 4E07 9126 8F7C 67EA BE88  F1B0 3043 E2B7 139A 768E

There is no particular reason that you should trust this key. You can see who has trusted it:

gpg --list-sigs 0x4E0791268F7C67EABE88F1B03043E2B7139A768E

Verify Riseup’s Certificate

Now that you have imported Riseup’s public key, you can verify that the fingerprints listed on this page are really from riseup.net.

  1. Download the signed certificate fingerprint statement:
    wget riseup.net/certificates/riseup-signed-certificate-fingerprints.txt
  2. Then run this command in a terminal:
    gpg --verify riseup-signed-certificate-fingerprints.txt
  3. You should get output that says:

gpg: Good signature from “Riseup Networks <collective@riseup.net>”

You should make sure that it says “Good signature” in the output! If this text has been altered, then this information should not be trusted.

Unless you have taken explicit steps to build a trust path to the Riseup Collective key, you will see a warning message similar to:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

However, you still should see the “Good signature”.

Compare the fingerprints

Now that you verified that the above message contains the fingerprints for our certificate, you can compare this value to the value provided by your browser. In most browsers, to find the fingerprint of the certificate your browser sees you can click on the lock icon located in the location bar. This should bring up details about the certificate being used, including the fingerprint.

If the values match, and you trust the Riseup public OpenPGP key, then you can be confident you are really communicating with riseup.net servers.

I want to learn more!

Great, this is an important topic and we encourage you to read this piece which clearly articulates in a non-technical way the problems involved in certificate authorities as well as outlining some interesting suggestions for ways that the existing architecture and protocols can be tweaked just a little bit to change the situation for the better.